问题描述

好，所以我在Web API中使用ServiceStack OrmLite满足我的数据需求.当我将代码提交给VeraCode进行代码安全性扫描和验证时，结果报告显示OrmLite显示了潜在的SQL Injection攻击媒介.

Ok, so I am using ServiceStack OrmLite for my data needs in my Web API. When I submitted my code to VeraCode for code security scanning and verification the result report showed that OrmLite shows potential SQL Injection attack vectors.

ServiceStack.OrmLite.dll       GridReader DapperMultiple(System.Data.IDbConnection, string, object, System.Data.IDbTransaction,System.Nullable<int>, System.Nullable<System.Data.CommandType>)

ServiceStack.OrmLite.dll       int ExecuteCommand(System.Data.IDbConnection, System.Data.IDbTransaction, string, System.Action<System.Data.IDbCommand,object>, object, System.Nullable<int>, System.Nullable<System.Data.CommandType>)

ServiceStack.OrmLite.dll       int ExecuteDapper(System.Data.IDbConnection, string, object, System.Data.IDbTransaction, System.Nullable<int>, System.Nullable<System.Data.CommandType>)

ServiceStack.OrmLite.dll       object Scalar(System.Data.IDbCommand, string)

ServiceStack.OrmLite.dll       System.Data.IDataReader ExecReader(System.Data.IDbCommand, string)

ServiceStack.OrmLite.dll       System.Data.IDataReader ExecReader(System.Data.IDbCommand, string, System.Collections.Generic.IEnumerable<System.Data.IDataParameter>)

我不确定该如何分类.我应该用EntityFramework替换OrmLite吗?

I'm not sure how to triage this. Should I replace OrmLite with EntityFramework?

推荐答案

在使用VeraCode进行代码读取期间，建议的适当补救措施是用EntityFramework 6.1替换ServiceStack ORM.

During a code-readout with VeraCode the suggested proper remediation was to replace ServiceStack ORM with EntityFramework 6.1.

这只是对当前存储库模式的较小更新.

This was only a minor update to the repositories pattern currently in place.

这篇关于VeraCode报告ServiceStack OrmLite对SQL命令("SQL注入")(CWE ID 89)中使用的特殊元素进行了不正确的中和的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！